4
我有一個web應用程序,前端有angularJS,後端有Java。 Angular通過Restful Web服務通過HTTP消費和發送JSON來與java後端進行通信。我需要爲這個應用程序構建身份驗證機制,並想知道如何纔是最好的方法,目前我正在使用基於JAAS的身份驗證(JDBC用戶表)。這是我的應用程序是如何配置:如何整合基於angularjs和java jaas的身份驗證?
我的web.xml配置有:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>ConstraintSSL</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/checkout/*</url-pattern>
<url-pattern>/login/*</url-pattern>
<url-pattern>/login.*</url-pattern>
<url-pattern>/account/*</url-pattern>
<url-pattern>/ad/create</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>ConstraintUser</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<description/>
<url-pattern>/account/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMINISTRATORS</role-name>
<role-name>USERS</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>USERS</role-name>
</security-role>
<security-role>
<description/>
<role-name>ADMINISTRATORS</role-name>
</security-role>
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>init.html</welcome-file>
</welcome-file-list>
init.html只重定向到它加載的角度,並開始實際應用一個index.html頁面。
現在,這裏是我的UserController中負責處理在客戶端(瀏覽器)用戶相關的活動:
myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService',
function($scope, $routeParams, UserService) {
$scope.logged = false;
// if User is not detected by cookie
$scope.user = fetchUserFromCookie();
if (! $scope.user) {
// set default guest user
$scope.user = {
firstName : 'guest',
lastName : 'user',
preferredCurrency : "USD$",
sessionHash: "XXXXXX",
shoppingCart : {
totalItems : 0,
total : 0
}
};
}
$scope.login = function(userName, pass) {
$scope.user = UserService.login(userName, pass);
$scope.logged = true;
};
$scope.logout = function(userName) {
$scope.user = UserService.logout(userName); // warn server side you're logging out
$scope.logged = false;
$scope.user = null;
};
}]);
我的目標是提供一個登錄頁面與基於JAAS JDBC認證,並只允許那些用戶,其具有特定的ADMIN角色或USER角色來查看某個頁面,如何在基於angularJS + Java的應用程序中實現此目的?
我的主要問題是與會話跟蹤,
如何跟蹤特定用戶授予訪問權限,並有權更改特定的記錄?
如何防止手動更改手動更改JS代碼或更改Cookie以劫持用戶會話?
總是進行服務器端權限檢查,並且不會出現問題#3! – madhead
是的,但如何實現?我如何知道調用REST端點的實際客戶端是特定的授權用戶?我應該在會話期間傳遞客戶端和服務器周圍的令牌嗎?你能指出一個示例實現嗎?謝謝 – guilhebl
我有一個類似的問題,發現後http://www.aschua.de/blog/pairing-angularjs-and-javaee-for-authentication/。也許這對你也有幫助,即使有點晚了。 –